When we feel threatened, we take action to mitigate the threat. Right?
Most of us would answer yes, but when it comes to threats to our privacy, that is not necessarily the case.
Consider this: 90 percent of US consumers who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, but many persist with actions and attitudes that put that privacy and security at risk.
That statistic is from ISACA’s annual IT Risk/Reward Barometer survey, which examines the latest perceptions and business behaviors regarding BYOD (“bring your own device,” where employees use personal devices for work tasks) and mobile security, cloud computing, and risk management.
More than 4,500 ISACA members in Africa, Asia, Europe, Latin America, North America and Oceania participated in the survey.
When it comes to the BYOD trend, companies in Oceania and Africa allow employees to use their own device for work purposes more than companies in the other regions do. In fact, nearly half of responding enterprises in Oceania freely allow it, while only 28 percent of European companies do. As a native Australian, I am not surprised by this by this outcome as we have learned to be very innovative by nature!
In every region surveyed, IT professionals report that the risk of BYOD outweighs the benefit. And yet, we continue to embrace this trend. Even stranger, at least one-quarter of companies say they do not address BYOD at all in their security policies (which tells me they need to update those policies).
As mentioned above, the overwhelming majority of individuals surveyed in the US who use a computing device for work activities feel that their online privacy is threatened, but many persist with actions and attitudes that put their privacy and security at risk. They’re cognizant of the dangers (data breaches, viruses, malware), but they’re swayed by the benefits presented by BYOD—mobile working, comfort with the devices, etc. I understand that.
The risk of BYOD pose a special challenge to employers during the holidays, given that survey respondents say they’ll spend 12 hours on average shopping from personal devices also used for work purposes (and 13 hours on work-issued devices). The more we shop, the more we share. And the more we share, the more vulnerable we are to problems.
"As people share more intimate details about themselves online, they are more likely they are to be a victim of social engineering attacks," explains John Pironti, an advisor with ISACA and president of IP Architects LLC. “Data aggregators are reducing the barrier to entry for hackers and others with bad intent.”
Unfortunately, the risk is increasing. More than half (53%) of survey respondents feel that sharing information online has become riskier over the past year. I’m with them—I’ve read too many reports in the past 12 months not to recognize the growing threats.
According to ISACA’s IT Risk/Reward Barometer survey:
- 65 percent of respondents do not verify the security settings of online shopping sites
- 36 percent have clicked on a link on a social media site from their work device
- 19 percent used their work email address for personal online shopping or other non-work activities
- 12 percent stored work passwords on their personal device
- 11 percent used a cloud service like Dropbox or Google Docs without their company’s knowledge
There is risk involved with all of those activities, yet so many of us continue to do them on work-issued and BYOD devices.
(Of course, I deny being among those who will spend two full days shopping online during work hours this holiday season, as some 37 percent of respondents said they would, but there are times I do perform work and personal activities on the same device.)
Just as in many parts of our lives, there is a gap between what we believe and how we act. That’s human nature. Despite considerable concern about our online privacy and security, many of us are simply not willing to give up the benefits and conveniences now available online, even if these behaviors are deemed high risk by our IT departments.
So where do we go from here? Education and security awareness training can help bridge this gap. And, naturally, we should not be afraid to adopt new technologies and practices. BYOD is here to stay, and the benefits it offers will only increase as we become more accustomed to it. (The Internet poses its own risks, and yet, here we are.)
I agree with ISACA in its embrace-and-educate approach. I believe we should embrace the technologies available and the value they bring, but also educate ourselves, our clients, colleagues and employees on the risk and make sure they are aware of—and follow—our companies’ policies.
Although the new year is several weeks away, I think this is one resolution we shouldn’t wait to adopt!
Robert Stroud, CGEIT, CRISC
Vice President, CA Technologies
*Download the full results of the 2012 ISACA IT Risk/Reward Barometer to see how your views and your company’s policies compare to the survey findings.
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.